2013-08-01 - COOL EK FROM 142.0.45.29 - XWQRALQ.SERVEHTTP.COM

PCAP AND MALWARE:

 

NOTES:

 

2013-08-01 - INTERESTING EXPLOIT PATTERN

I ran across a new traffic pattern from 3 drive-by exploits in the last 24 hours.  3 were hit with the same drive-by when the users were viewing a Youtube video.  For example:

Original referrer: www.youtube.com - GET /watch?v=qf8TpcSuRWA&list=RD02ERjVEX5FgoI

2 of the 3 machines became infected.  In both of the infections, we saw the following type of callback traffic 5.104.106.79:

Here's a comparison of the three initial HTTP GET requests to the different malware delivery domains:

Same thing with the Java exploits...

It looks like top.lossa.be was the handover domain each time.  Here's a few screen shots of the traffic:

188.120.236.219 - top.lossa.be - GET /pro/

142.0.45.29 - xwqralq.servehttp.com - GET /water/boundary_combine.html

142.0.45.29 - xwqralq.servehttp.com - GET /water/magnitude-geological.jar

142.0.45.29 - xwqralq.servehttp.com - GET /water/magnitude-geological.txt?f=102

Callback traffic: 5.104.106.79 - POST /index.php

 

SNORT EVENTS

Screenshot of Emerging Threats signature hits from Sguil on Security Onion (without ET POLICY or ET INFO events):

 

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT:

File name:  2013-07-31-Cool-EK-java-exploit.jar
File size:  18.8 KB ( 19259 bytes )
MD5 hash:  b8d4d2ed6243b9d35b405ace07d59de7
Detection ratio:  25 / 54
First submission:  2013-07-31 14:59:34 UTC
VirusTotal link:  https://www.virustotal.com/en/file/28b7d1b825b968a41841477b21051c6632639a8bfb337553fabbe8de5f518295/analysis/

 

MALWARE PAYLOAD:

File name:  2013-07-31-Cool-EK-malware-payload.exe
File size:  141.0 KB ( 144384 bytes )
MD5 hash:  461208781ae162e11aacf09442d6e6fb
Detection ratio:  49 / 53
First submission:  2013-07-31 17:56:19 UTC
VirusTotal link:  https://www.virustotal.com/en/file/81d1c304f4c13c5936cfda229419cffb104bb682ea6fe0c0d4b8a5ce42a37dcc/analysis/

 

FINAL NOTES

Once again, here's the PCAP of the traffic and ZIP file of the malware:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.